Skip to content
Snippets Groups Projects
Select Git revision
  • bbb700c54d2145cf68f63d671f660f8ec0bb3f9a
  • main default protected
  • next
  • revert-31645-feat/rename-gradle-wrapper-validation-action
  • renovate/main-redis-5.x
  • fix/36615b-branch-reuse-no-cache
  • chore/punycode
  • fix/36615-branch-reuse-bug
  • refactor/pin-new-value
  • feat/36219--git-x509-signing
  • feat/structured-logger
  • hotfix/39.264.1
  • feat/skip-dangling
  • gh-readonly-queue/next/pr-36034-7a061c4ca1024a19e2c295d773d9642625d1c2be
  • hotfix/39.238.3
  • refactor/gitlab-auto-approve
  • feat/template-strings
  • gh-readonly-queue/next/pr-35654-137d934242c784e0c45d4b957362214f0eade1d7
  • fix/32307-global-extends-merging
  • fix/32307-global-extends-repositories
  • gh-readonly-queue/next/pr-35009-046ebf7cb84ab859f7fefceb5fa53a54ce9736f8
  • 41.34.1
  • 41.34.0
  • 41.33.0
  • 41.32.3
  • 41.32.2
  • 41.32.1
  • 41.32.0
  • 41.31.1
  • 41.31.0
  • 41.30.5
  • 41.30.4
  • 41.30.3
  • 41.30.2
  • 41.30.1
  • 41.30.0
  • 41.29.1
  • 41.29.0
  • 41.28.2
  • 41.28.1
  • 41.28.0
41 results

validation.js

Blame
  • decrypt.ts 4.00 KiB
    import crypto from 'crypto';
    import is from '@sindresorhus/is';
    import { logger } from '../logger';
    import { maskToken } from '../util/mask';
    import { add } from '../util/sanitize';
    import { getAdminConfig } from './admin';
    import type { RenovateConfig } from './types';
    
    export function decryptConfig(config: RenovateConfig): RenovateConfig {
      logger.trace({ config }, 'decryptConfig()');
      const decryptedConfig = { ...config };
      const { privateKey } = getAdminConfig();
      for (const [key, val] of Object.entries(config)) {
        if (key === 'encrypted' && is.object(val)) {
          logger.debug({ config: val }, 'Found encrypted config');
          if (privateKey) {
            for (const [eKey, eVal] of Object.entries(val)) {
              try {
                let decryptedStr: string;
                try {
                  logger.debug('Trying default padding for ' + eKey);
                  decryptedStr = crypto
                    .privateDecrypt(privateKey, Buffer.from(eVal, 'base64'))
                    .toString();
                  logger.debug('Decrypted config using default padding');
                } catch (err) {
                  logger.debug('Trying RSA_PKCS1_PADDING for ' + eKey);
                  decryptedStr = crypto
                    .privateDecrypt(
                      {
                        key: privateKey,
                        padding: crypto.constants.RSA_PKCS1_PADDING,
                      },
                      Buffer.from(eVal, 'base64')
                    )
                    .toString();
                  // let it throw if the above fails
                }
                // istanbul ignore if
                if (!decryptedStr.length) {
                  throw new Error('empty string');
                }
                logger.debug(`Decrypted ${eKey}`);
                if (eKey === 'npmToken') {
                  const token = decryptedStr.replace(/\n$/, '');
                  add(token);
                  logger.debug(
                    { decryptedToken: maskToken(token) },
                    'Migrating npmToken to npmrc'
                  );
                  if (is.string(decryptedConfig.npmrc)) {
                    /* eslint-disable no-template-curly-in-string */
                    if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {
                      logger.debug('Replacing ${NPM_TOKEN} with decrypted token');
                      decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                        /\${NPM_TOKEN}/g,
                        token
                      );
                    } else {
                      logger.debug(
                        'Appending _authToken= to end of existing npmrc'
                      );
                      decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                        /\n?$/,
                        `\n_authToken=${token}\n`
                      );
                    }
                    /* eslint-enable no-template-curly-in-string */
                  } else {
                    logger.debug('Adding npmrc to config');
                    decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
                  }
                } else {
                  decryptedConfig[eKey] = decryptedStr;
                  add(decryptedStr);
                }
              } catch (err) {
                const error = new Error('config-validation');
                error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;
                throw error;
              }
            }
          } else {
            logger.error('Found encrypted data but no privateKey');
          }
          delete decryptedConfig.encrypted;
        } else if (is.array(val)) {
          decryptedConfig[key] = [];
          val.forEach((item) => {
            if (is.object(item) && !is.array(item)) {
              (decryptedConfig[key] as RenovateConfig[]).push(
                decryptConfig(item as RenovateConfig)
              );
            } else {
              (decryptedConfig[key] as unknown[]).push(item);
            }
          });
        } else if (is.object(val) && key !== 'content') {
          decryptedConfig[key] = decryptConfig(val as RenovateConfig);
        }
      }
      delete decryptedConfig.encrypted;
      logger.trace({ config: decryptedConfig }, 'decryptedConfig');
      return decryptedConfig;
    }